Error "Illegal character in query at index 80"

Question

I'm making an app that sends an SQL statement to a PHP that searches a database and returns a JSON's hosted.

Currently in my app I pass this statement, SentenciaFinal has this value also:

SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000

The error is as follows:

10-25 16:12:36.201: E/ServicioRest(1240): Error!
10-25 16:12:36.201: E/ServicioRest(1240): java.lang.IllegalArgumentException: Illegal    character in query at index 80:   http://proyectosccv.zz.mu/AppAndroid/phps/ConsultaHabilidad.php?sentencia=SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000
10-25 16:12:36.201: E/ServicioRest(1240):   at java.net.URI.create(URI.java:727)
10-25 16:12:36.201: E/ServicioRest(1240):   at org.apache.http.client.methods.HttpGet.<init>(HttpGet.java:75)
10-25 16:12:36.201: E/ServicioRest(1240):   at browser.habilidades.Busqueda.colocarList(Busqueda.java:63)
10-25 16:12:36.201: E/ServicioRest(1240):   at browser.habilidades.Busqueda.onCreate(Busqueda.java:40)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.Activity.performCreate(Activity.java:5104)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1080)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2144)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2230)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.access$600(ActivityThread.java:141)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1234)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.os.Handler.dispatchMessage(Handler.java:99)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.os.Looper.loop(Looper.java:137)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.main(ActivityThread.java:5041)
10-25 16:12:36.201: E/ServicioRest(1240):   at java.lang.reflect.Method.invokeNative(Native Method)
10-25 16:12:36.201: E/ServicioRest(1240):   at java.lang.reflect.Method.invoke(Method.java:511)
10-25 16:12:36.201: E/ServicioRest(1240):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793)
10-25 16:12:36.201: E/ServicioRest(1240):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560)
10-25 16:12:36.201: E/ServicioRest(1240):   at dalvik.system.NativeStart.main(Native Method)

and the piece of code where I run is this:

private void colocarList(String SentenciaFinal) {
 try {


 HttpGet peticion = new HttpGet(
                           "http://proyectosccv.zz.mu/AppAndroid/phps/ConsultaHabilidad.php?sentencia="+SentenciaFinal);

            peticion.setHeader("content-type", "application/json");

            HttpClient httpClient = new DefaultHttpClient();
            HttpResponse resp = httpClient.execute(peticion);
            String respStr = EntityUtils.toString(resp.getEntity());

            JSONArray resparray = new JSONArray(respStr);

            int n = resparray.length();

            NombreHabilidades = new String[n];

            for (int i = 0; i < resparray.length(); i++) {
                    JSONObject respJSON = resparray.getJSONObject(i);

                    String nombre = respJSON.getString("Nombre");
                    NombreHabilidades[i] = nombre;
            }

            // Rellenamos la lista con los resultados
            ArrayAdapter<String> adaptador = new ArrayAdapter<String>(this,
                            android.R.layout.simple_list_item_1, NombreHabilidades);
            list.setAdapter(adaptador);


    } catch (Exception ex) {
            Log.e("ServicioRest", "Error!", ex);
    }

}

---

I know how working with json and my app I have given internet connection permits.

I THINK it is an error in the judgment that something happened, but not sure.

Thank you very much! = D

Answer 1

Convert to URI

URI uri = new URI(
    "http", 
    "proyectosccv.zz.mu", 
    "/AppAndroid/phps/ConsultaHabilidad.php?sentencia=SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000",
    null);
HttpGet peticion = new HttpGet(uri );

Answer 2

While answers here may address the technical aspect of calling the PHP script I will address the security here. You have a link of the sort:

http://domain.com/dir/phpfile.php?sql=SELECT Foo, Bar FROM...

This is a large security flaw. Imagine a user loading:

http://domain.com/dir/phpfile.php?sql=DROP TABLE FooTable;

This would destroy your SQL table as it looks someone did during the time of this post.

I would rethink this completely. You must accept a parameter and add it to the SQL query after filtering it:

http://domaim.com/dir/phpfile.php?getitem=FooItem

would become:

SELECT SomeCol from SomeTable WHERE SomeOtherCol='FooItem'

This would be done by concatenating the request with SELECT SomeCol FROM SomeTable WHERE SomeOtherCol=' with the request string with ' at the end as a delimiter in the simplest case.

However, this is still open to hacking with something called "Sql Injection" where a party would request:

http://domaim.com/dir/phpfile.php?getitem=FooItem'; DROP TABLE FooTable; --

which would still drop the table. To fix this use mysqli::real_escape_string as

$filteredString = $db->realEscapeString($unsanitizedString);

and you will then concatenate the filtered string.